apiVersion: v1
{% if env == "staging" %}
kind: Role
{% else %}
# Namespace-local roles did not work until openshift 3.6
# https://github.com/openshift/origin/issues/14078
kind: ClusterRole
{% endif %}
metadata:
  annotations:
    openshift.io/description: An application owner. Can view everything but ConfigMaps.
  name: appowner
  namespace: "{{ app }}"
rules:
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - endpoints
  - persistentvolumeclaims
  - pods
  - pods/attach
  - pods/exec
  - replicationcontrollers
  - serviceaccounts
  - services
  verbs:
  - get
  - list
  - watch
{% if env == "staging" %}
  - create
  - delete
  - update
{% endif %}
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - bindings
  - events
  - limitranges
  - namespaces
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  attributeRestrictions: null
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  attributeRestrictions: null
  resources:
  - cronjobs
  - jobs
  - scheduledjobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - "*"
  attributeRestrictions: null
  resources:
  - deployments
  - deployments/scale
  - horizontalpodautoscalers
  - jobs
  - replicasets
  - replicasets/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  attributeRestrictions: null
  resources:
  - daemonsets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  attributeRestrictions: null
  resources:
  - statefulsets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - "*"
  attributeRestrictions: null
  resources:
  - buildconfigs
  - buildconfigs/webhooks
  - builds
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - "*"
  attributeRestrictions: null
  resources:
  - builds/log
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - build.openshift.io
  attributeRestrictions: null
  resources:
  - jenkins
  verbs:
  - view
- apiGroups:
  - "*"
  attributeRestrictions: null
  resources:
  - deploymentconfigs
  - deploymentconfigs/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - deploymentconfigs/log
  - deploymentconfigs/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - imagestreamimages
  - imagestreammappings
  - imagestreams
  - imagestreamtags
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - imagestreams/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - projects
  verbs:
  - get
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - appliedclusterresourcequotas
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - routes
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - routes/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - processedtemplates
  - templateconfigs
  - templates
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - buildlogs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - resourcequotausages
  verbs:
  - get
  - list
  - watch
